[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198

Sun Feb 20 23:13:18 UTC 2011

The following commit has been merged in the webkit-1.3 branch:
commit 6b5d98b0fc19134fd0fe5a0d24cb87aaea599bae
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Jan 19 02:37:59 2011 +0000

    2011-01-18  Oliver Hunt  <oliver at apple.com>
    
            Reviewed by Gavin Barraclough.
    
            [jsfunfuzz] Assertion asking activation for arguments when arguments is overridden
            https://bugs.webkit.org/show_bug.cgi?id=52690
    
            Add a few more tests.
    
            * fast/js/function-dot-arguments-expected.txt:
            * fast/js/script-tests/function-dot-arguments.js:
            (overwroteArgumentsInDynamicScope1):
            (overwroteArgumentsInDynamicScope2):
            (overwroteArgumentsInDynamicScope3):
    2011-01-18  Oliver Hunt  <oliver at apple.com>
    
            Reviewed by Gavin Barraclough.
    
            [jsfunfuzz] Assertion asking activation for arguments when arguments is overridden
            https://bugs.webkit.org/show_bug.cgi?id=52690
    
            Clean up code to retrieve arguments from activation and function objects.
            Remove the incorrect assertion from JSActivation's argumentsGetter.
    
            * interpreter/Interpreter.cpp:
            (JSC::Interpreter::retrieveArguments):
            * runtime/JSActivation.cpp:
            (JSC::JSActivation::argumentsGetter):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@76090 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 2428ef3..73e783e 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,18 @@
+2011-01-18  Oliver Hunt  <oliver at apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        [jsfunfuzz] Assertion asking activation for arguments when arguments is overridden
+        https://bugs.webkit.org/show_bug.cgi?id=52690
+
+        Add a few more tests.
+
+        * fast/js/function-dot-arguments-expected.txt:
+        * fast/js/script-tests/function-dot-arguments.js:
+        (overwroteArgumentsInDynamicScope1):
+        (overwroteArgumentsInDynamicScope2):
+        (overwroteArgumentsInDynamicScope3):
+
 2011-01-18  Dmitry Titov  <dimich at chromium.org>
 
         [Chromium] Not reviewed, adding pixel expectations for new test.
diff --git a/LayoutTests/fast/js/function-dot-arguments-expected.txt b/LayoutTests/fast/js/function-dot-arguments-expected.txt
index b94c047..5552bee 100644
--- a/LayoutTests/fast/js/function-dot-arguments-expected.txt
+++ b/LayoutTests/fast/js/function-dot-arguments-expected.txt
@@ -37,6 +37,9 @@ PASS argumentsNotLiveWrite1(0, 2, 3) is 0
 PASS argumentsNotLiveWrite2(1, 0, 3) is 0
 PASS argumentsNotLiveWrite3(1, 2, 0) is 0
 PASS argumentsIdentity() is true
+PASS overwroteArgumentsInDynamicScope1() is true
+PASS overwroteArgumentsInDynamicScope2() is true
+PASS overwroteArgumentsInDynamicScope3() is true
 PASS successfullyParsed is true
 
 TEST COMPLETE
diff --git a/LayoutTests/fast/js/script-tests/function-dot-arguments.js b/LayoutTests/fast/js/script-tests/function-dot-arguments.js
index 1e42457..99c8713 100644
--- a/LayoutTests/fast/js/script-tests/function-dot-arguments.js
+++ b/LayoutTests/fast/js/script-tests/function-dot-arguments.js
@@ -305,4 +305,22 @@ function argumentsIdentity()
 }
 shouldBeTrue("argumentsIdentity()");
 
+function overwroteArgumentsInDynamicScope1() {
+    eval("arguments = true"); 
+    return arguments;
+}
+
+function overwroteArgumentsInDynamicScope2() {
+    arguments = true;
+    return eval("arguments");
+}
+
+function overwroteArgumentsInDynamicScope3() {
+    eval("arguments = true"); 
+    return overwroteArgumentsInDynamicScope3.arguments;
+}
+shouldBeTrue("overwroteArgumentsInDynamicScope1()");
+shouldBeTrue("overwroteArgumentsInDynamicScope2()");
+shouldBeTrue("overwroteArgumentsInDynamicScope3()");
+
 var successfullyParsed = true;
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 095a940..27f2064 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,18 @@
+2011-01-18  Oliver Hunt  <oliver at apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        [jsfunfuzz] Assertion asking activation for arguments when arguments is overridden
+        https://bugs.webkit.org/show_bug.cgi?id=52690
+
+        Clean up code to retrieve arguments from activation and function objects.
+        Remove the incorrect assertion from JSActivation's argumentsGetter.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::retrieveArguments):
+        * runtime/JSActivation.cpp:
+        (JSC::JSActivation::argumentsGetter):
+
 2011-01-18  Geoffrey Garen  <ggaren at apple.com>
 
         Reviewed by Darin Adler.
diff --git a/Source/JavaScriptCore/interpreter/Interpreter.cpp b/Source/JavaScriptCore/interpreter/Interpreter.cpp
index cf9f8a1..392e8b8 100644
--- a/Source/JavaScriptCore/interpreter/Interpreter.cpp
+++ b/Source/JavaScriptCore/interpreter/Interpreter.cpp
@@ -4802,12 +4802,13 @@ JSValue Interpreter::retrieveArguments(CallFrame* callFrame, JSFunction* functio
     if (codeBlock->usesArguments()) {
         ASSERT(codeBlock->codeType() == FunctionCode);
         int argumentsRegister = codeBlock->argumentsRegister();
-        if (!functionCallFrame->r(argumentsRegister).jsValue()) {
-            JSValue arguments = JSValue(new (callFrame) Arguments(functionCallFrame));
-            functionCallFrame->r(argumentsRegister) = arguments;
-            functionCallFrame->r(unmodifiedArgumentsRegister(argumentsRegister)) = arguments;
-        }
-        return functionCallFrame->r(argumentsRegister).jsValue();
+        int realArgumentsRegister = unmodifiedArgumentsRegister(argumentsRegister);
+        if (JSValue arguments = functionCallFrame->uncheckedR(argumentsRegister).jsValue())
+            return arguments;
+        JSValue arguments = JSValue(new (callFrame) Arguments(functionCallFrame));
+        functionCallFrame->r(argumentsRegister) = arguments;
+        functionCallFrame->r(realArgumentsRegister) = arguments;
+        return arguments;
     }
 
     Arguments* arguments = new (functionCallFrame) Arguments(functionCallFrame);
diff --git a/Source/JavaScriptCore/runtime/JSActivation.cpp b/Source/JavaScriptCore/runtime/JSActivation.cpp
index e36d50e..428403d 100644
--- a/Source/JavaScriptCore/runtime/JSActivation.cpp
+++ b/Source/JavaScriptCore/runtime/JSActivation.cpp
@@ -203,14 +203,16 @@ JSValue JSActivation::argumentsGetter(ExecState*, JSValue slotBase, const Identi
     JSActivation* activation = asActivation(slotBase);
     CallFrame* callFrame = CallFrame::create(activation->d()->registers);
     int argumentsRegister = activation->d()->functionExecutable->generatedBytecode().argumentsRegister();
-    if (!callFrame->uncheckedR(argumentsRegister).jsValue()) {
-        JSValue arguments = JSValue(new (callFrame) Arguments(callFrame));
-        callFrame->uncheckedR(argumentsRegister) = arguments;
-        callFrame->uncheckedR(unmodifiedArgumentsRegister(argumentsRegister)) = arguments;
-    }
+    if (JSValue arguments = callFrame->uncheckedR(argumentsRegister).jsValue())
+        return arguments;
+    int realArgumentsRegister = unmodifiedArgumentsRegister(argumentsRegister);
 
-    ASSERT(callFrame->uncheckedR(argumentsRegister).jsValue().inherits(&Arguments::info));
-    return callFrame->uncheckedR(argumentsRegister).jsValue();
+    JSValue arguments = JSValue(new (callFrame) Arguments(callFrame));
+    callFrame->uncheckedR(argumentsRegister) = arguments;
+    callFrame->uncheckedR(realArgumentsRegister) = arguments;
+    
+    ASSERT(callFrame->uncheckedR(realArgumentsRegister).jsValue().inherits(&Arguments::info));
+    return callFrame->uncheckedR(realArgumentsRegister).jsValue();
 }
 
 // These two functions serve the purpose of isolating the common case from a

-- 
WebKit Debian packaging

